[Bug 468923] New: root leak in sudo/sudoers
https://bugzilla.novell.com/show_bug.cgi?id=468923 Summary: root leak in sudo/sudoers Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: koenig@linux.de QAContact: qa@suse.de Found By: --- valid sudoers rules might give users root access without password authentication. details via private mail to Thomas Biege, Marcus Meissner (opensuse-security) and Todd Miller of sudo fame -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=468923
Harald Koenig
https://bugzilla.novell.com/show_bug.cgi?id=468923
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=468923
User devzero@web.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=468923#c4
roland kletzing
https://bugzilla.novell.com/show_bug.cgi?id=468923
User koenig@linux.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=468923#c5
--- Comment #5 from Harald Koenig
so, is there a security bug in sudo itself or is it about "how to escape into root via an arbitrary command, run from sudo?"
yes, it's a real bug for a valid sudoers file (but not for the default sudoers settings). sudo developer Todd C. Miller already offered a patch for the problem in 1.6.9p19 which I just verified for our use case. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=468923
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=468923
User swamp@suse.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=468923#c8
Swamp Script User
https://bugzilla.novell.com/show_bug.cgi?id=468923
User thomas@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=468923#c15
Thomas Biege
valid sudoers rules might give users root access without password authentication.
details via private mail to Thomas Biege, Marcus Meissner (opensuse-security) and Todd Miller of sudo fame
Harald, can I forward your email to vendor-sec (private ML for linux and bsd folks)? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=468923
User koenig@linux.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=468923#c16
Harald Koenig
Harald, can I forward your email to vendor-sec (private ML for linux and bsd folks)?
sure, no problem... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=468923
User swamp@suse.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=468923#c17
Swamp Script User
https://bugzilla.novell.com/show_bug.cgi?id=468923
User thomas@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=468923#c18
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=468923
Swamp Script User
https://bugzilla.novell.com/show_bug.cgi?id=468923
User thomas@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=468923#c19
--- Comment #19 from Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=468923
User koenig@linux.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=468923#c20
--- Comment #20 from Harald Koenig
CVE-2009-0034
so here is my original bug report: --- 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< --- at least sudo 1.6.9p17 to 1.6.9p19 show the following problem (1.7.0 is ok for my quick test): using the following in sudoers Runas_Alias RUNASLIST = koenig,%video harald ALL=(RUNASLIST) NOPASSWD: ALL I try to allow user "harald" to switch to user koenig and to all users in group video. this intended funtionality works fine. BUT iff user harald _is_ in group video himself, then harald can sudo to _any_ user without password -- including root! the output of "sudo -l" does not show this "feature", fortuneately;) if harald does not belong to group video, everything is fine and only switching to users in group video is allowed without password. we found this problem in 1.6.9p17 (local build) and verified for 1.6.9p18/19 too, including the 1.6.9p19 binary being shipped in openSUSE 11.1 (sudo-1.6.9p17-10.35 x86_64). only my 1.7.0 build (all 64 bit btw) works as expected. [ ... ] since 1.7.0 code changed significantly since p19, it would be nice to release a 1.6.9p20 security fix, isn't it ?! btw: do you expect such security problems to be reported via the public mailing lists or bugzilla or similar, or what's the correct/best place to report such issues first ? I've created "empty" bugzilla entries for now: http://www.gratisoft.us/bugzilla/show_bug.cgi?id=327 https://bugzilla.novell.com/show_bug.cgi?id=468923 --- 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< --- and I verified the patch below from Todd C. Miller which fixed our problem. the patch is now available here http://www.sudo.ws/cgi-bin/cvsweb/sudo/parse.c.diff?r1=1.160.2.21&r2=1.160.2.22&f=h --- 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< --- Index: parse.c =================================================================== RCS file: /home/cvs/courtesan/sudo/parse.c,v retrieving revision 1.160.2.21 diff -u -r1.160.2.21 parse.c --- parse.c 2 Nov 2008 14:35:53 -0000 1.160.2.21 +++ parse.c 23 Jan 2009 19:16:55 -0000 @@ -651,9 +651,11 @@ /* * If the user has a supplementary group vector, check it first. */ - for (i = 0; i < user_ngroups; i++) { - if (grp->gr_gid == user_groups[i]) - return(TRUE); + if (strcmp(user, user_name) == 0) { + for (i = 0; i < user_ngroups; i++) { + if (grp->gr_gid == user_groups[i]) + return(TRUE); + } } if (grp->gr_mem != NULL) { for (cur = grp->gr_mem; *cur; cur++) { --- 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< --- thanks for the quick response! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com